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(57) ABSTRACT 

A scheme for carrying out modular calculations which is 
capable of carrying out modular calculations using redun- 
dant binary calculation even when a number of bits of the 
mantissa (dividend) is larger than a number of bits of the 
modulus (divisor). In this scheme, the divisor c in the divisor 
register is left shifted by (i-j) digits when a number of digits 
j of the divisor c is less than a number of digits i that can be 
stored in the divisor register, and the modular reduction a 
mod c is calculated up to (i-j)-th decimal place using the 
dividend a and the left shifted divisor c. Alternatively, the 
divisor c given in h-ary notation in the divisor register is left 
shifted by (i-j) digits when a number of digits j of the divisor 
c is less than a number of digits i that can be stored in the 
divisor register, while the dividend a given in h-ary notation 
in the dividend register is left shifted by (k-1) digits when a 
number of digits 1 of the dividend a is less than a number of 
digits k that can be stored in the dividend register, where 
k^i. Then, the modular reduction a mod c is calculated up 
to a digit of [(k-l)-(i-j)]-lh power of h using the left shifted 
dividend a and the left shifted divisor c to obtain a 
remainder, and this remainder is right shifted by (k-1) digits. 

63 Claims, 8 Drawing Sheets 
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SCHEME FOR CARRYING OUT MODULAR 
CALCULATIONS BASED ON REDUNDANT 
BINARY CALCULATION 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a scheme for carrying out 
modular calculations, especially modular exponentiation 
calculations, which are necessary for basic operations and 
key generation in public key cryptosystcms such as RSA 
cryptosystem. 

2. Description of the Background Art 

Basic operations and key generation in public key cryp- 
tosystems such as RSA cryptosystem require modular cal- 
culations such as modular exponentiation a fc mod c, modular 
multiplication axb mod c, and modular reduction a mod c. 
In addition, application protocols utilizing public key cryp- 
tosystems often utilize these modular calculations in com- 
bination. Consequently one frequently encounters cases 
where some modular calculation result is to be used in next 
calculation. In view of this fact, there has been a proposition 
of a calculation scheme using redundant binary calculation, 
as disclosed in A. Vandcmeulebroccke, et al.: "A New 
Carry-Free Division Algorithm and its Application to a 
Single-Chip 1024-b RSA Processor", IEEE Journal of Solid- 
State Circuits, Vol. 25, No. 3, pp. 748-756, June 1990. 

However, this conventional scheme has been associated 
with the problem that modular exponentiation a 6 mod c and 
modular reduction a mod c cannot be calculated when |a|>|cj. 
In the following description, |k| will be referred to as a 
number of bits of k, and a, b and c appearing in modular 
exponentiation a fr mod c will be referred to as mantissa 
(dividend), exponent, and modulus (divisor), respectively. 

In principle, the redundant binary calculation requires the 
most significant bit of a divisor in binary expression to be 
"1" in a case of division, so that there has been a limitation 
that a number of bits of a divisor of a designed division 
circuit must coincide with a number of bits of a divisor to be 
used in calculation. 

In this regard, there has been a proposition disclosed in 
Japanese Patent Application Laid Open No. 8-147266 
(1996) for removing this limitation on a number of bits of a 
modulus by the following provisions. 

(1) An entire divisor (modulus) is left shifted until the 
most significant bit of a divisor (modulus) becomes "1". 

(2) An entire dividend (mantissa) is also left shifted as 
much as a shifting made in (1). 

(3) A calculation is carried out by the conventional 
redundant binary calculation. 

(4) A calculation result is right shifted as much as a 
shifting made in (1) in order to correct the calculation result. 

However, since the mantissa is to be right shifted for the 
same number of bits as the modulus in (2), there has been a 
problem that an accurate calculation becomes impossible 
when a number of bits of the mantissa is larger than a 
number of bits of the modulus because of the overflow. 

Under such condition, when an application of this propo- 
sition to LSI is considered, there is no problem when the 
mantissa is set to be smaller than the modulus in advance, 
but it is rather inconvenient for applications to various 
application programs. For example, in a case of modular 
multiplication axb mod c, one usually has a<c and b<c but 
a product axb becomes larger than c in general so that this 
calculation cannot be carried out by this proposition. 
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Now, the modular exponentiation is frequently utilized as 
basic operations in public key cryptosystems. For example, 
in RSA cryptosystem, modular exponentiation using a secret 
exponent is to be carried out in the decryption operation and 

s the signing operation. 

Conventionally, almost all public key cryptosystems uti- 
lize modular exponentiation, which can be expressed as & b 
mod c. In the signing operation or the decryption operation, 
at least one of the three parameters involved in modular 

10 exponentiation is to be kept secret. 

However, when three parameters are exactly the same, an 
identical result will be obtained obviously. On the other 
hand, in a case of carrying out modular exponentiation using 
a dedicated processor, an identical calculation result is 

15 always obtained when an environment such as operation 
frequency is constant. Then, there is a report which points 
out that a secret key can be obtained by utilizing these 
features, as disclosed in P. C. Kocher: "Timing Attacks on 
Implementations of Diffie-Hellman, RSA, DSS, and Other 

20 Systems", Advances in Cryptology— CRYPTO '96, Lecture 
Notes in Computer Science 1109, pp. 104-113, Springer- 
Verlag. 

This method (called timing attack) is somewhat time 
consuming and not very easy, but still far easier than a 

25 method for deriving a secret key by utilizing mathematical 
features or a method for carrying out the extensive search of 
a secret key. This method becomes more dangerous in an 
environment in which the time can be measured more 
accurately. Moreover, this method becomes more dangerous 

30 when a number of parallel jobs is fewer. 

Thus, the secret key calculation utilizing modular expo- 
nentiation and the like has the same amount of calculations 
for exactly the same parameters, and there arc cases where 

35 this feature can be maliciously utilized to obtain a secret key. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide 
a scheme for carrying out modular calculations which is 

40 capable of carrying out modular calculations using redun- 
dant binary calculation even when a number of bits of the 
mantissa is larger than a number of bits of the modulus. 

It is another object of the present invention to provide a 
scheme for calculating modular exponentiation capable of 

45 preventing the timing attack for obtaining a secret key by 
utilizing the same parameters, which is a known attacking 
method for the public key cryptosystem using modular 
exponentiation by a dedicated processor. 
According to one aspect of the present invention there is 

so provided a method for carrying out modular calculations 
based on a redundant binary calculation scheme, including 
a modular reduction a mod c where a is a dividend and c is 
a divisor, comprising the steps of: (a) registering the divi- 
dend a and the divisor c in a dividend register and a divisor 

ss register, respectively; (b) left shifting the divisor c in the 
divisor register by (i-j) digits when a number of digits j of 
the divisor c is less than a number of digits i that can be 
stored in the divisor register; and (c) calculating the modular 
reduction a mod c up to (i-j)-th decimal place using the 

60 dividend a in the dividend register and the divisor c in the 
divisor register as left shifted by the step (b), to obtain a 
remainder as a modular reduction result. 

According to another aspect of the present invention there 
is provided a method for carrying out modular calculations 

65 based on a redundant binary calculation scheme, including 
a modular reduction a mod c where a is a dividend given in 
h-ary notation and c is a divisor given in h-ary notation, 
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comprising the steps of: (a) registering the dividend a and 
the divisor c in a dividend register and a divisor register, 
respectively; (b) left shifting the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be stored 
in the divisor register; (c) left shifting the dividend a in the 
dividend register by (k-1) digits when a number of digits 1 
of the dividend a is less than a number of digits k that can 
be stored in the dividend register, where k^i; (d) calculating 



based on a redundant binary calculation scheme, including 
a modular reduction a mod c where a is a dividend given in 
h-ary notation and c is a divisor given in h-ary notation, 
comprising: a dividend register for registering the dividend 
a; a divisor register for registering the divisor c; a divisor 
shifting unit for left shifting the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be stored 
in the divisor register; a dividend shifting unit for left 



the modular reduction a mod c up to a digit of [(k-t)-(i- 10 shifting the dividend a in the dividend register by (k-1) digits 



j)]-th power of h using the dividend a in the dividend register 
as left shifted by the step (c) and the divisor c in the divisor 
register as left shifted by the step (b), to obtain a remainder; 
and (e) right shifting the remainder obtained by the step (d) 
by (k-1) digits, to obtain a modular reduction result. 

According to another aspect of the present invention there 
is provided a method for carrying out modular calculations 
based on a redundant binary calculation scheme, including 
a modular multiplication axb mod c where a and b are 



when a number of digits 1 of the dividend a is less than a 
number of digits k that can be stored in the dividend register, 
where k^i; a calculation unit for calculating the modular 
reduction a mod c up to a digit of [(k-l)-(i-j)]-th power of 
15 h using the dividend a in the dividend register as left shifted 
by the dividend shifting unit and the divisor c in the divisor 
register as left shifted by the divisor shifting unit, to obtain 
a remainder; and a remainder shifting unit for right shifting 
the remainder obtained by the calculation unit by (k-1) 
dividends and c is a divisor, comprises the steps of: (a) 20 digits, to obtain a modular reduction result, 
obtaining a first modular reduction a'=a mod c by: (aa) According to another aspect of the present invention there 
registering the dividend a and the divisor c in a first dividend is provided a device for carrying out modular calculations 
register and a second divisor register, respectively; (ab) left based on a redundant binary calculation scheme, including 
shifting the divisor c in the first divisor register by (i-j) a a modular multiplication axb mod c where a and b are 
digits when a number of digits j of the divisor c is less than 25 dividends and c is a divisor, comprising: a first modular 
a number of digits i that can be stored in the first divisor reduction calculation unit including: a first dividend register 
register; and (ac) calculating the first modular reduction a'-a for registering the dividend a; a first divisor register for 
mod c up to (i-j)-th decimal place using the dividend a in the registering the divisor c; a shifting unit for left shifting the 
first dividend register and the divisor c in the first divisor divisor c in the first divisor register by (i-j) digits when a 
register as left shifted by the step (ab), to obtain a remainder 30 number of digits j of the divisor c is less than a number of 
as a modular reduction result; (b) obtaining a second modu- digits i that can be stored in the first divisor register; and a 
lar reduction b'=b mod c by: (ba) registering the dividend b first calculation unit for calculating a first modular reduction 
and the divisor c given in h-ary notation in a second dividend a'=a mod c up to (i-j)-th decimal place using the dividend a 
register and a second divisor register, respectively; (bb) left in the first dividend register and the divisor c in the first 
shifting the divisor c in the second divisor register by (m-n) 3s divisor register as left shifted by the shifting unit, to obtain 
digits when a number of digits n of the divisor c is less than a remainder as a modular reduction result; a second modular 
a number of digits m that can be stored in the second divisor reduction calculation unit including: a second dividend 
register; (be) left shifting the dividend b in the second register for registering the dividend b given in h-ary nota- 
dividend register by (k-1) digits when a number of digits 1 tion; a second divisor register for registering the divisor c 
of the dividend b is less than a number of digits k that can 40 given in h-ary notation; a divisor shifting unit for left 
be stored in the dividend register, where k^m; (bd) calcu- shifting the divisor c in the second divisor register by (m-n) 
lating the second modular reduction a'-a mod c up to a digit digits when a number of digits n of the divisor c is less than 
of [(k-l)-(m-n)]-lh power of h using the dividend b in the a number of digits m that can be stored in the second divisor 
second dividend register as left shifted by the step (be) and register; a dividend shifting unit for left shifting the dividend 
the divisor c in the second divisor register as left shifted by 45 b in the second dividend register by (k-1) digits when a 
the step (bb), to obtain a remainder; and (be) right shifting number of digits 1 of the dividend b is less than a number of 
the remainder obtained by the step (bd) by (k-1) digits, to digits k that can be stored in the second dividend register, 
obtain a modular reduction result; and (c) calculating a where k^m; a second calculation unit for calculating a 
modular multiplication a'xb' mod c using a' obtained by the second modular reduction b*-b mod c up to a digit of 
step (a) and b' obtained by the step (b), to obtain a modular 50 [(k-l)-(m-n)]-th power of h using the dividend b in the 
multiplication result. second dividend register as left shifted by the dividend 

According to another aspect of the present invention there shifting unit and the divisor c in the second divisor register 
is provided a device for carrying out modular calculations as left shifted by the divisor shifting unit, to obtain a 
based on a redundant binary calculation scheme, including remainder; and a remainder shifting unit for right shifting 
a modular reduction a mod c where a is a dividend and c is 55 the remainder obtained by the second calculation unit by 



a divisor, comprising: a dividend register for registering the 
dividend a; a divisoi register for registering the divisor c; a 
shifting unit for left shifting the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be stored eo 
in the divisor register, and a calculation unit for calculating 
the modular reduction a mod c up to (i-j)-th decimal place 
using the dividend a in the dividend register and the divisor 
c in the divisor register as left shifted by the shifting unit, to 
obtain a remainder as a modular reduction result. 

According to another aspect of the present invention there 
is provided a device for carrying out modular calculations 



(k-1) digits, to obtain a modular reduction result; and a 
modular multiplication calculation unit for calculating a 
modular multiplication a'xb' mod c to obtain a modular 
multiplication result. 

According to another aspect of the present invention there 
is provided an article of manufacture, comprising: a com- 
puter usable medium having computer readable program 
code means embodied therein for causing a computer to 
function as a system for carrying out modular calculations 
65 based on a redundant binary calculation scheme, including 
a modular reduction a mod c where a is a dividend and c is 
a divisor, the computer readable program code means 
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obtain a second modular reduction by: registering the divi- 
dend b and the divisor c given in h-ary notation in a second 
dividend register and a second divisor register, respectively; 
left shifting the divisor c in the second divisor register by 
(m-n) digits when a number of digits n of the divisor c is less 
than a number of digits m that can be stored in the second 
divisor register; left shifting the dividend b in the second 
dividend register by (k-1) digits when a number of digits I 
of the dividend a is less than a number of digits k that can 
be stored in the second dividend register, where k=m; 
calculating a second modular reduction b'-b mod c up to a 
digit of [(k-l)-(m-n)]-th power of h using the dividend b in 
the second dividend register as left shifted and the divisor c 
in the second divisor register as left shifted, to obtain a 
remainder; and right shifting the remainder by (k-1) digits, 
to obtain a modular reduction result; and a third computer 
readable program code means for causing said computer to 
calculate a modular multiplication a'xb' mod c to obtain a 
modular multiplication result. 

Other features and advantages of the present invention 
will become apparent from the following description taken 
in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a modular calculation device 
according to the first embodiment of the present invention. 

FIG. 2 is a block diagram showing an internal configu- 
ration of a parameter shifting unit in the modular calculation 
device of FIG. 1. 

FIGS. 3A, 3B and 3C are diagrams showing exemplary 
modular calculations carried out by the modular calculation 
device of FIG. 1. 

FIG. 4 is a diagram showing an exemplary modular 
calculation on according to a redundant binary calculation 
scheme carried out by the modular calculation device of 
FIG. 1. 

FIG. 5 is a schematic block diagram showing exemplary 

. ° , , v.- • „„ • (U _ j:.„v„, cases of timing attacks that can occur in a typical commu- 

readablc program code means and the divisor c in the divisor 40 . . 6 Jr 

register as left shifted by the second computer readable nicalion system. 

program code means, to obtain a remainder; and fifth FIG - 6 is a flow chart for an outline of a scheme for 

computer readable program code means for causing said 
computer to right shift the remainder obtained by the fourth 
computer readable program code means by (k-1) digits, to 45 
obtain a modular reduction result. 

According to another aspect of the present invention there 
is provided an article of manufacture, comprising: a com- 
puter usable medium having computer readable program 
code means embodied therein for causing a computer to 50 FIG. 7. 
function as a system for carrying out modular calculations 



including: first computer readable program code means for 
causing said computer to registering the dividend a and the 
divisor c in a dividend register and a divisor register, 
respectively; second computer readable program code 
means for causing said computer to left shift the divisor c in 
the divisor register by (i-j) digits when a number of digits 
j of the divisor c is less than a number of digits i that can be 
stored in the divisor register; and third computer readable 
program code means for causing said computer to calculate 
the modular reduction a mod c up to (i-j)-th decimal place 
using the dividend a in the dividend register and the divisor 
c in the divisor register as left shifted by the second 
computer readable program code means, to obtain a remain- 
der as a modular reduction result. 

According to another aspect of the present invention there 
is provided an article of manufacture, comprising: a com- 
puter usable medium having computer readable program 
code means embodied therein for causing a computer to 
function as a system for carrying out modular calculations 
based on a redundant binary calculation scheme, including 
a modular reduction a mod c where a is a dividend given in 
h-ary notation and c is a divisor given in h-ary notation, the 
computer readable program code means including: first 
computer readable program code means for causing said 
computer to registering the dividend a and the divisor c in a 25 
dividend register and a divisor register, respectively; second 
computer readable program code means for causing said 
computer to left shift the divisor c in the divisor register by 
(i-j) digits when a number of digits j of the divisor c is less 
than a number of digits i that can be stored in the divisor 
register; third computer readable program code means for 
causing said computer to left shift the dividend a in the 
dividend register by (k-1) digits when a number of digits 1 
of the dividend a is less than a number of digits k that can 
be stored in the dividend register, where k=i; fourth com- 35 
puter readable program code means for causing said com- 
puter to calculate the modular reduction a mod c up to a digit 
of [(k-l)-(i-j)]-th power of h using the dividend a in the 
dividend register as left shifted by the third computer 



30 



calculating modular exponentiation according to the second 
embodiment of the present invention. 

FIG. 7 is a block diagram of a modular exponentiation 
calculation device according to the second embodiment of 
the present invention. 

FIG. 8 is a flow chart of an operation to determine a delay 
lime in the modular exponentiation calculation device of 



based on a redundant binary calculation scheme, including 
a modular multiplication axb mod c where a and b are 
dividends and c is a divisor, the computer readable program 
code means including: a first computer readable program 55 
code means for causing said computer to obtain a first 
modular reduction a'=a mod c by: registering the dividend a 
and the divisor c in a first dividend register and a first divisor 
register, respectively; left shifting the divisor c in the first 

divisor register by (i-j) digits when a number of digits j of 60 redundant binary calculation unit 101, a parameter shifting 



DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Referring now to FIG. 1 to FIG. 4, the first embodiment 
of a scheme for carrying out modular calculations according 
to the present invention will be described in detail. 

FIG. 1 shows a configuration of a modular calculation 
device 100 in this first embodiment, which comprises a 



the divisor c is less than a number of digits i that can be 
stored in the first divisor register; and calculating a first 
modular reduction a mod c up to (i-j)-th decimal place using 
the dividend a in the first dividend register and the divisor c 
in the first divisor register as left shifted, to obtain a 
remainder as a modular reduction result; a second computer 
readable program code means for causing said computer to 



unit 102, and a parameter register unit 103 made of general 
purpose registers. This modular calculation device 100 can 
be realized most conveniently by a single-chip LSI. 

The redundant binary calculation unit 101 carries out the 
redundant binary calculation. Parameter input and output 
ports of the redundant binary calculation unit 101 are 
connected with the parameter shifting unit 102. Also, the 



03/10/2004, EAST Version: 1.4.1 



US 6,175,850 Bl 



8 



10 



20 



parameter register unit 103 is a register for the purpose of 
storing parameters used in the parameter shifting unit 102, 
and functions as data input/output interface between internal 
bus and external bus of the modular calculation device 100. 

In further detail, the parameter shifting unit 102 has an 
internal configuration as shown in FIG. 2, which comprises: 
a dividend left bit shifting unit 1021 for left bit shifting a 
dividend a to yield ax? to be supplied to the redundant 
binary calculation unit 101 as a dividend; a dividend shifted 
bits memory unit 1022 for storing a shifted bits j by which 
the dividend a is bit shifted by the dividend left bit shifting 
unit 1021; a divisor left bit shifting unit 1023 for left bit 
shifting a divisor c to yield cx2* to be supplied to the 
redundant binary calculation unit 101 as a divisor; a divisor 
shifted bits memory unit 1024 for storing a shifted bits i by 
which the divisor c is bit shifted by the divisor left bit 
shifting unit 1023; a number of divisions control unit 1025 
for controlling the redundant binary calculation unit 101 to 
carry out additional divisions for (i-j) times according to i 
and j stored in the dividend shifted bits memory unit 1022 
and the divisor shifted bits memory unit 1024; and a 
remainder right bit shifting unit 1026 for right bit shifting a 
remainder rx2'" ; obtained by the redundant binary calcula- 
tion unit 101 according to i and j stored in the dividend 
shifted bits memory unit 1022 and the divisor shifted bits 25 
memory unit 1024 to yield a remainder r to be supplied to 
the parameter register unit 103 as a calculated remainder. 

Now, the operation in this modular calculation device 100 
of FIG. 1 will be described for different types of modular 
calculations separately. 

a mod c 

As a simplest example, a case of modular reduction a mod 
c will be described first. 

From the limitation in a case of division, the calculation 
cannot be carried out unless a number of bits of a modulus 
is equal to a bit length k of a register of the modulus c at a 
time of designing a redundant binary calculation circuit. In 
other words, the calculation cannot be carried out unless the 
most significant bit of a register of the modulus c is "1". 

For this reason, according to the conventional proposition, 
this limitation is compensated by utilizing: 
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a mod e-{(ax20 mod (cx^fl 1 



0) 



and setting cx2' equal to k so as to convert modulus into the 
same number of bits as a register for storing the modulus c. 

In a case of general purpose register configuration, it is 
customary to use registers of the same bit length for the 
purpose of storing a and c. 

Also, the modular calculation on the right hand side of the 
above equation (1) makes sense when a>c, but as can be seen 
from the left hand side of the above equation (1), the 
mantissa is also to be multiplied by 2', so that when a 
mantissa register is set to have the same number of bits as 
a modulus register, the above equation (1) can be actually 
utilized only when the following conditions (2) and (3) both 
hold simultaneously: 
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(2) 
(3) 
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which is a severely limited condition. 

In view of this, this first embodiment removes the con- 
dition (3) and makes it possible to carry out modular 
calculation as long as a and c are within bit lengths of 
respective registers even when 



For the sake of ease of comprehension, an exemplary case 
of using decimal numbers is shown in FIGS. 3 A, 3B and 3C. 

The ordinary division can be expressed as shown in FIG. 
3 A, where a division of 243/13=18 with a remainder 9 is 
calculated. 

Now, suppose that each one of a divisor register and a 
dividend register has four digits in decimal expression. 
Then, suppose that the most significant digit of the divisor 
register must be non-zero. Under this condition, the calcu- 
lation can be rcalbxd by the following two methods. 

Method 1 (FIG. 3B) 

Step 1: By carrying (left shifting) the divisor by two 
digits, the most significant digit in the divisor register 
becomes non-zero. 

13—1300 (201 of FIG. 3B) 

Step 2: In calculating 243/1300, the calculation is carried 
out up to the second decimal place, as much as two digits by 
which the divisor is carried in Step 1. 

243/1300=0.18 with remainder 9 (202 of FIG. 3B) 

Step 3: The remainder 9 is obtained (203 of FIG. 3B). 
Method 2 (FIG. 3C) 

Step 1: By carrying (left shifting) the divisor by two 
digits, the most significant digit in the divisor register 
becomes non-zero. 

13—1300 (211 of FIG. 3C) 

Step 2: By carrying (left shifting) the dividend by one 
digit so that the most significant digit in the dividend register 
becomes non-zero, similarly as in the case of the divisor 
register. 

243—2430 (212 of FIG. 3C) 

Step 3: In calculating 2430/1300, the calculation is carried 
out up to the first decimal place, as much as 2-1=1 digit by 
which the carrying is made in Step 1 and Step 2. 

2430/1300=1.8 with remainder 90 (213 of FIG. 3C) 

Step 4: The remainder is right shifted by one digit, as 
much as the carrying is made in Step 3. 

90-9 (214 of FIG. 3C) 

This Method 2 can be stated with more generality as 
follows. Namely, in a case where the dividend a and the 
divisor c are given in h-ary notation and the divisor c in the 
divisor register is left shifted by (i-j) digits when a number 
of digits j of the divisor c is less than a number of digits i that 
can be stored in the divisor register while the dividend a in 
the dividend register is left shifted by (k-1) digits when a 
number of digits 1 of the dividend a is less than a number of 
digits k that can be stored in the dividend register, where 
k^i, the calculation of modular reduction a mod c is carried 
out up to a digit of [(k-l)-(j-l)]-th power of h using the left 
shifted dividend a in the dividend register and the left shifted 
divisor c in the divisor register to obtain a remainder, and 
then the obtained remainder is right shifted by (k-1) digits, 
to obtain a modular reduction result. Stated this way, 
Method 2 is valid even when l>i. 

When Method 1 and Method 2 are compared, Method 1 
requires fewer steps. On the other hand, when Step 2 of 
Method 1 and Step 3 of Method 2 are compared, a number 
of divisions is fewer in Method 2. Consequently, which 
method can carry out the calculation faster depends on a 
circuit configuration. 

In general, a digit shift of data bus width (plural digits) 
and one division (one digit unit) require the same number of 
clocks so that Method 2 using digit shift is more efficient. 

When these two methods are extended into binary 
numbers, they are applicable to redundant binary numbers. 
As a result, it becomes possible to carry out the calculation 
even when |a|^|c|. 
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axb mod c 

Next, a case of modular multiplication axb mod c will be 
described, For modular multiplication, the basic redundant 
binary calculation circuit can be used when 



a<c, b<c 



(5) 



10 



20 



but modular multiplication cannot be carried out directly 
when 

\a*b\<\c\ (fi) 

For this reason, the calculation is carried out by the 
following steps. 

Step 1: Input a and c, and reduce mantissa a into a'=a mod 
c which is less than or equal to the modulus c, using a 
method of modular reduction described above. 

Step 2: Input b, and reduce mantissa b into b'-b mod c 
which is less than or equal to the modulus c, using a method 
of modular reduction described above. 

Step 3: Carry out modular multiplication a'xb' mod c. In 
other words, the following relationship is utilized here. 

(axb) mod c-{(o mod c)x(6 mod c)} mod c-(a'x£>} mod c 

By this provision, as long as each parameter has a number 
of bits less than or equal to a number of bits that can be 
stored in its register, it is possible to carry out modular 25 
multiplication regardless of sizes of parameters. 

It is to be noted that, in realizing this modular 
multiplication, both of the modular reduction a'-a mod c and 
the modular reduction b'=b mod c can be carried out by 
Method 1 or Method 2 described above, but it is also 30 
possible to carry out one of them by Method 1 and another 
one of them by Method 2. In some cases, such a mixed use 
of Method 1 and Method 2 can realize a faster calculation. 
: mod c 



First, FIG. 5 shows an exemplary case where a sender 
terminal 102 carries out the signing operation and sends the 
operation result toward a receiver terminal 104 through a 
communication network 103, and an eavesdropper (attacker) 
101 attempts to guess a secret key by monitoring and 
crypto analyzing the communication. 

In this case, places where the cryploanalysis can take 
place are a vicinity of the sender terminal 102, the commu- 
nication network 103, and a vicinity of the receiver terminal 
104, in decreasing order of ease of the cryptoanalysis (that 
is, decreasing order of danger of being eavesdropped). The 
biggest reason for this is that less contribution from the 
processing related to the communication is involved at a 
place nearer to the sender terminal 102. On the other hand, 
the easiest place to monitor the communication is a portion 
of the communication network (public network) 103. 

Now, consider the following case in which the cryp- 
loanalysis is easiest. Namely, suppose that a dedicated 
processor for modular exponentiation is provided at the 
sender terminal 102 and it is possible to obtain a processing 
time, a public information such as public key, and a pro- 
cessing result for that processor. The object of the eaves- 
dropper 101 then is to store a plurality of these results and 
guess a secret key used in that processing. 

The main reason why this is the case where the cryp- 
toanalysis is easiest is that the same processing time is taken 
for the same input and there is hardly any influence on the 
other processing because of the use of the dedicated pro- 
cessor. 

In view of this, this second embodiment is directed to a 
case of using such a dedicated processor, where either a 
circuit having an uncertain delay time is provided within the 
processor or a random delay time is given from external so 
that the processing time becomes different at different occa- 



Next, a case of modular exponentiation a* mod c will be 35 sions of processing even for the same input, thereby effec- 



described. Modular exponentiation can be realized by itera- 
tions of modular multiplication axb mod c so that modular 
exponentiation can be calculated by a redundant binary 
calculation circuit. 

Thus a case of modular exponentiation can be reduced to to 
modular multiplications. 

Application to Binary Calculation 

FIG. 4 shows a concrete example in a case of applying a 
scheme of this first embodiment to binary numbers. 

In FIG. 4, the modulus c is bit shifted up to the most 45 
significant bit of a register for the modulus c to yield c' (301 
of FIG. 4 where c is bit shifted by 12 bits). Next, a mantissa 
a is byte shifted until the most significant byte of a register 
of the mantissa a contains "1" to yield a' (302 of FIG. 4 
where a is byte shifted by 2 bytes). In this manner, it 
becomes possible to apply the redundant binary calculation. 

Then, a division is started. Here, however, the last bit for 
carrying out division is set to be as many bits from the most 
significant bit of the modulus as a difference between shifted 
bits of the modulus and the mantissa (303 of FIG. 4 where 
the difference is four bits). Thus, the answer, i.e. a remainder, 
becomes 304 as indicated in FIG. 4. 

As described, this first embodiment takes full advantage 
of fast calculation due to the use of the redundant binary 
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tivcly preventing the timing attacks. 

More specifically, according to this second embodiment, 
in the modular exponentiation calculation which is the basic 
operation of the public key cryplosystem, a delay time at a 
critical path due to transmission delay is varied for each 
modular exponentiation calculation, according to the proce- 
dure shown in FIG. 6. 

Namely, a delay information for varying a processing time 
for modular exponentiation is entered (step SI), and a delay 
time is determined according to the entered delay informa- 
tion (step S2). Then, the modular exponentiation calculation 
is carried out while varying the delay time applied to the 
calculation according to the determined delay time (step S3). 

In further detail, an initial value (seed) necessary for 
generating a random number is generated first, and a random 
number is generated according to the initial value, and then 
the delay time is generated according to the generated 
random number. At a time of generating the initial value to 
be used in the random number generation, a plurality of 
initial values can be generated and a random number can be 
generated from these plurality of initial values. 

FIG. 7 shows a configuration of a modular exponentiation 
calculation device 200 in this second embodiment, which 
comprises a modular exponentiation calculation control unit 



calculation, while removing the limitation on a number of 60 201 including a delay time adjustment unit 202 and a 



bits of the modulus which is the disadvantage of the redun- 
dant binary calculation. 

Referring now to FIG. 5 to FIG. 8, the second embodi- 
ment of a scheme for carrying out modular calculations 
according to the present invention will be described in detail. 
This second embodiment is directed to a case of calculating 
modular exponentiation. 



65 



maximum calculation delay time memory unit 209, a delay 
time determining unit 203, a random number generation unit 
204, an initial value composition unit 205, an initial value 
generation unit 207, a calculation result feedback unit 208, 
and a modular multiplication calculation unit 210. The initial 
value composition unit 205 is also connected with an 
external initial value input unit 206. 
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The most hardware circuits constituting usual modular Step S105: Next, the initial value composition unit 205 

exponentiation calculation devices have a circuit for adjust- judged whether the calculation result fed back by the cal- 

ing a delay time at a critical path due to transmission delay, culation result feedback unit 208 is to be used or not. If yes, 

and the usual design makes this delay time adjustment as the operation proceeds to the step S106, whereas otherwise 

small as possible. In contrast, in this second embodiment, 5 the operation proceeds to the step S107. 

the delay time by this delay time adjustment circuit is Step S106: A part or a whole of the calculation result 

designed to be varied for each modular exponentiation obtained by the modular multiplication calculation unit 210 

calculation so that a calculation time becomes different even ^ fcd back by thc calcil i a tion feedback unit 208, and 

for modular exponentiation calculations using the same this value ^ held io the iniUal vame composition unit 2 05. 

m P ul - . , . . . . ,„ f io Step S107: Thc initial value composition unit 205 com- 

In the modular exponentiation calculation device 200 of ..... . fr nn r „ „ - „.|„„ 

FIG. 7, modular exponentiation is calculated by iterating P°f es I 1 * * mU f ^J^^WiS^Jt^SS 

modular multiplication by the modular multiplication cal cntcred at the , ste P s Sl«2 S104 and SIM. Here, a method of 

culation unit 210, by the scheme of the first embodiment composing the initial value is not hmited to any specific 

described above. Here, each modular multiplication requires method * th * a**™ 1 embodiment, and it suffices for the 

a specific calculation time depending on a circuit design. I s composed value to be a value that can be used as an initial 

This calculation time is stored and managed in the maximum value (^ed) for a next random number generation. The 

calculation delay time memory unit 209 of the modular initial value composition unit 205 then supplies the com- 

exponentiation calculation control unit 201. A delay time posed initial value to the random number generation unit 

determined by thc delay time determining unit 203 is then 204. 

added to this specific calculation time of the modular 20 Step S108: The random number generation unit 204 

multiplication calculation unit 210 to yield a virtual circuit generates a random number from the initial value supplied 

delay time of the modular multiplication calculation, and the from the initial value composition unit 205, and supplies the 

modular multiplication calculation unit 210 is controlled to generated random number to the delay time determining unit 

carry out modular calculation in this virtual circuit delay 203. 

time by the delay time adjustment unit 202 so as to make 25 g tep ^109: The delay time determining unit 203 deter- 

timing attacks difficult. mines the delay time from the supplied random number. The 

The random number generation unit 204 generates a determined delay time is then added to the specific calcu- 

random number which is to be used for the purpose of lation time of tbe modular multiplication calculation unit 

making the delay time determined by the delay time deter- 210 stored in the maximi]m calculation delay time memory 

mining unit 203 random. This random number generated by ^ ^ m {Q [M ^ drcuU dd ^ of me moduhr 

the random number generation unit 204 * ther .given to Uk ^ calculflli which ^ lhen lied t0 the 

delay time determining unit 203. This random number , . r . t .' rr 

generation unit 204 generates a random number according to delay time adjustment unit 202^ 

initial value input. There are three possible ways of gener- Note that, 10 the operation described above the initial 

ating this initial value, as follows. valuc composition unit 205 composes the initial value from 

(1) A value entered from the external initial value input * values entered by any of the external initial value input unit 
unit 206 can be taken as an initial value. 206, the initial value generation unit 207 and thc calculation 

(2) A value generated by an initial value generation unit result feedback unit 208, but the initial value composition 
207 can be taken as an initial value. unit 205 may use a predetermined one of these initial value 

(3) A part or a whole (i.e. some bits or all bits) of the inputs alone, or all of these initial value inputs. It is also 
calculation result obtained by the modular multiplication *o possible to change such a selection of the initial value inputs 
calculation unit 210 as fed back by the calculation result at a prescribed period. It is also possible to randomly 
feedback unit 208 can be laken as an initial value. activate any of the external initial value input unit 206, the 

The initial value composition unit 205 can use the initial initial value generation unit 207, and the calculation result 

value given by any of the above (1), (2) and (3) singly, or in feedback unit 208. 

combination by composing values given by any of the above 45 It is also to be noted that the second embodiment has been 

(1), (2) and (3) so as to generate a random number in better described above for a case of changing the calculation delay 

quality. time for each modular exponentiation calculation, but since 

FIG. 8 shows a flow chart for the operation to determine the modular exponentiation calculation is realized by iter- 

thc delay time in thc modular exponentiation calculation ating modular multiplication calculations, it is also possible 

device of FIG. 7, which proceeds as follows. 50 to change the calculation delay time for each modular 

Step S101: First, the initial value composition unit 205 multiplication calculation constituting one modular expo- 
judges whether an external initial value input from the nentiation calculation. Since the timing attack becomes 
external initial value input unil 206 is to be used or not. If more difficult when the calculation delay time is changed 
yes, the operation proceeds to the step S102, whereas more frequently, sequentially changing the calculation delay 
otherwise the operation proceeds to the step S103. 55 time for each modular multiplication calculation is more 

Step S102: An external initial value for random genera- effective way for preventing the timing attack than iterating 

tion is entered from the external initial value input unit 206, modular multiplication calculations with the same calcula- 

and this value is held in the initial value composition unit tion delay time throughout one modular exponentiation 

205. calculation. 

Step S103: Next, thc initial value composition unit 20 5 60 This sequential changing of thc calculation delay time for 

judges whether an internal initial value generated by the each modular multiplication calculation can be realized by 

initial value generation unit 207 is to be used or not. If yes, updating the initial value for random number generation 

the operation proceeds to the step S104, whereas otherwise during the modular exponentiation calculation, preferably 

the operation proceeds to the step S105. every time the modular multiplication calculation is to be 

Step S104: An internal initial value for random generation 65 carried out. The updating of the initial value for random 

is generated by the initial value generation unil 207, and this number generation can be realized by entering a new input 

value is held in the initial value composition unit 205. from the external initial value input unil 206 or a part or a 
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whole (i.e. some bits or all bits) of the previous calculation 2. The method of claim 1, wherein the modular calcula - 

result obtained by the modular multiplication calculation tions are defined for binary numbers, and the step (c) 

unit 210 as fed back by the calculation result feedback unit calculates the modular reduction according to the redundant 

208, into the initial value composition unit 205 at suitable binary calculation scheme. 

timings during one modular exponentiation calculation, s 3. The method of claim 1, wherein the modular calcula- 

preferably every time the modular multiplication calculation tions &]so i nc i u dc a modular multiplication axb mod c where 

is to be carried out. a and b are dividends and c is a divisor, and the method 

As described, according to this second embodiment, the comprises , hc stcps of: 

delay time is varied for each modular exponentiation cal- r ■, , , 1 . 

culaiion to be used for a secret key calculation, even for in < d > obtaining a first modular reduction result a -a mod c 

cases of using exactly the same parameters, so that it 10 ^8 the ste P s W, ( b ) and 

becomes difficult to derive a secret key even if the calcula- (e) obtaining a second modular reduction result b'-b mod 

tion time is accurately measured and therefore it is possible c using the steps (a), (b) and (c); and 

to effectively prevent the highly dangerous timing attacks to ca i cu i a ting the modular multiplication a'xb' mod c 

the public key cryptosystems using modular exponentiation ^ a < obtained by the step (d) and b* obtained by the 

calculation. ...,.«. step (e), to obtain a modular multiplication result. 

In addition, 0ns second embodiment is parUcularly effec- 4 The method of daim 3 WQerein me modular calcula . 
tive when a dedicated processor which is not affected by the ^ ^ a modular entiation a * mod c wbxre 
S?n r ca P lc 0 uS g 15 exponents a fc a % ^ an cxponcnt and c a md ^ 
Tt fe to benoted that the above described embodiments 20 method forther c ° m P™s ste P of: 
according to the present invention may be conveniently (g) calculating the modular exponentiation a* mod c by 
implemented using a conventional general purpose digital iterating the modular multiplication using the steps (d), 
computer programmed according to the teachings of the (e) and re- 
present specification, as will be apparent to those skilled in 5. The method of claim 4, wherein the modular exponen- 
the computer art. Appropriate software coding can readily be 25 tiation is used as the basic operation of the public key 
prepared by skilled programmers based on the teachings of cryptosystem, which is to be carried out many times by a 
the present disclosure, as will be apparent to those skilled in modular exponentiation calculation device, and the method 
the software art. further comprises the step of: 

In particular each of the modular calculation device 100 . a dd ^ at a critkal h due l0 ^ 

™* lG f uir n n modul ar exponentiation calculaUon device 3Q mi J on b dela £ the modular expon e n tiation calcula- 

200 of FIG. 7 can be conveniently implemented in a torm ot . , . . t . c , , A . 

a software package. 11011 at each tirae of calculating the modular 

Such a software package can be a computer program , exponentiation. . 

product which employs a storage medium including stored 6 - The method of claim 5 > wherem the ste P ( h > mcludes 

computer code which is used to program a computer to me s^P 5 °f ; 

perform the disclosed function and process of the present 35 (hi) entering a delay information necessary for varying a 

invention. The storage medium may include, but is not calculation time of the modular exponentiation by the 

limited to, any type of conventional floppy disks, optical modular exponentiation calculation device; 

disks, CD-ROMs, magneto-optical disks, ROMs, RAMs, (h2) delerminmg the de i a y time according to the delay 

EPROMs, EEPROMs, magnetic or optical cards, or any information entered at the step (hi); and 

other suitable media for storing electronic instructions. 40 „ _ „. , , , . . , , . 

It is also to be noted that, besides those already mentioned ( h3 > controlling the modular exponentiation calculation 

above, many modifications and variations of the above device t0 can T out me ste P according to the delay 

embodiments may be made without departing from the time determined by the step (h2), so as to vary the delay 

novel and advantageous features of the present invention. "'me at each time of calculating the modular exponen- 

Accordingly, all such modifications and variations are 45 tiation. 

intended to be included within the scope of the appended 7. The method of claim 6, wherein the step (hi) includes 

claims. the steps of: 

What is claimed is: (hll) generating an initial value necessary for generating 

1. A method for carrying out a basic operation of a public a ran dom number; and 

key cryptosystem using modular calculations based on a 5Q (hl2 ) generating the random number from the initial value 

redundant binary calculation scheme, including a modular generated by the step (hll); 

reduction a mod c where a is a dividend and c is a divisor, wherejn the step (h2) determines the deIay Umc from 

comprising the steps of: the raridom number generated by the step (hl2). 

(a) registering the dividend a and the divisor c in a g mThe raelhod of c i aim 7) wne rein the step (hll) gener- 
dividend register and a divisor register, respectively; 55 ates tne mitial va]ue f rom any one or combination of a 

(b) left shifting the divisor c in the divisor register by (i-j) plurality of input values including an internally generated 
digits when a number of digits j of the divisor c is less mpu t value, an externally entered input value, and a part or 
than a number of digits i that can be stored in the divisor a w h 0 lc of a previously obtained modular multiplication 
register; calculation result fed back from a previous iteration of the 

(c) calculating the modular reduction a mod c up to eo modular multiplication at the step (g). 

(i-j)-lh decimal place using the dividend a in the 9. The method of claim 7, wherein the step (hll) gener- 

dividend register and the divisor c in the divisor register ates a new value for the initial value and the step (hl2) 

as left shifted by the step (b), to obtain a remainder as generates a new value for the random number during cal- 

a modular reduction result; and culation of the modular exponentiation at the step (g), so that 

(d) carrying out the basic operation of the public key 6S the step (h2) determines a new value of the delay time during 
cryptosystem using the modular reduction result calculation of the modular exponentiation at the step (g), and 
obtained by the step (c). the step (h3) controls the modular exponentiation calculation 
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device to carry out the step (g) according to the new value 
of the delay time determined by the step (h2), so as to vary 
the delay time during calculation of the modular exponen- 
tiation at the step (g). 

10. The method of claim 7, wherein the step (bll) 5 
generates a new value for the initial value and the step (hi 2) 
generates a new value for the random number at each time 
of iterating the modular multiplication at the step (g), so that 
the step (h2) determines a new value of the delay time at 
each time of iterating the modular multiplication at the step 10 
(g), and the step (h3) controls the modular exponentiation 
calculation device to carry out each modular multiplication 

at the step (g) according to the new value of the delay time 
determined by the step (h2), so as to vary the delay time al 
each time of calculating the modular multiplication. is 

11 . A method for carrying out a basic operation of a public 
key cryptosystem using modular calculations based on a 
redundant binary calculation scheme, including a modular 
reduction a mod c where a is a dividend given in h*ary 
notation and c is a divisor given in h-ary notation, compris- 20 
ing the steps of: 

(a) registering the dividend a and the divisor c in a 
dividend register and a divisor register, respectively; 

(b) left shifting the divisor c in the divisor register by (i-j) 
digits when a number of digits j of the divisor c is less 25 
than a number of digits i that can be stored in the divisor 
register; 

(c) left shifting the dividend a in the register by (k-1) 
digits when a number of digits 1 of the dividend a is less 3Q 
than a number of digits k that can be stored in the 
register, where k^i; 

(d) calculating the modular reduction a mod c up to a digit 
of (k-l)-(i-j)-lh power of h using the dividend a in the 
register as left shifted by the step (c) and the divisor c 35 
in the divisor register as left shifted by the step (b), to 
obtain a remainder; 

(e) right shifting the remainder obtained by the step (d) by 
(k-1) digits, to obtain a modular reduction result; and 

(f) carrying out the basic operation of the public key 40 
cryptosystem using the modular reduction result 
obtained by the step (e). 

12. The method of claim 11, wherein the modular calcu- 
lations are defined for binary numbers, and the step (d) 
calculates the modular reduction according to the redundant 45 
binary calculation scheme. 

13. The method of claim 11, wherein the modular calcu- 
lations also include a modular multiplication axb mod c 
where a and b are dividends and c is a divisor, and the 
method further comprises the steps of: 50 

(j) obtaining a first modular reduction result a'«a mod c 
using the steps (a), (b), (c), (d) and (e); 

(g) obtaining a second modular reduction result b'-b mod 

c using the steps (a), (b), (c), (d) and (e); and S5 

(h) calculating the modular multiplication a'xb' mod c 
using a' obtained by the step (f) and b' obtained by the 
sle P (g)i 10 obtain a modular multiplication result. 

14. The method of claim 13, wherein the modular calcu- 
lations also include a modular exponentiation a* mod c 60 
where a is a dividend, x is an exponent and c is a divisor, and 
the method further comprises the step of: 

(i) calculating the modular exponentiation a 1 mod c by 
iterating the modular multiplication using the steps (f), 
(g) and (h). 65 

15. The method of claim 14, wherein the modular expo- 
nentiation is used as the basic operation of the public key 
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cryptosystem, which is to be carried out many times by a 
modular exponentiation calculation device, and the method 
further the step of: 

(j) varying a delay time at a critical path due to transmis- 
sion delay in the modular exponentiation calculation 
device, at each time of calculating the modular expo- 
nentiation. 

16. The method of claim 15, wherein the step (j) includes 
the steps of: 

fjl) entering a delay information necessary for varying a 
calculation time of the modular exponentiation by the 
modular exponentiation calculation device; 

(J2) determining the delay time according to the delay 
information entered at the step (jl); and 

(j3) controlling the modular exponentiation calculation 
device to carry out the step (i) according to the delay 
time determined by the step (j2), so as to vary the delay 
time at each time of calculating the modular exponen- 
tiation. 

17. The method of claim 16, wherein the step (jl) includes 
the steps of: 

(jll) generating an initial value necessary for generating 

a random number; and 
(J12) generating the random number from the initial value 

generated by the step (jll); 

wherein the step (j2) determines the delay time from 
the random number generated by the step (jl2). 

18. The method of claim 17, wherein the step (jll) 
generates the initial value from any one or combination of a 
plurality of input values including an internally generated 
input value, an externally entered input value, and a part or 
a whole of a previously obtained modular multiplication 
calculation result fed back from a previous iteration of the 
modular multiplication at the step (g), 

19. The method of claim 17, wherein the step (jll) 
generates a new value for the initial value and the step (jl2) 
generates a new value for the random number during cal- 
culation of the modular exponentiation at the step (i), so that 
the step (j2) determines a new value of the delay time during 
calculation of the modular exponentiation at the step (i), and 
the step (j3) controls the modular exponentiation calculation 
device to carry out the step (i) according to the new value of 
the delay time determined by the step (j2), so as to vary the 
delay time during calculation of the modular exponentiation 
at the step (i). 

20. The method of claim 17, wherein the step (jll) 
generates a new value for the initial value and the step (jl2) 
generates a new value for the random number at each time 
of iterating the modular multiplication at the step (i), so that 
the step (j2) determines a new value of the delay time at each 
time of iterating the modular multiplication at the step (0, 
and the step (j3) controls the modular exponentiation cal- 
culation device to carry out each modular multiplication at 
the step (i) according to the new value of the delay time 
determined by the step (j2), so as to vary the delay time at 
each time of calculating the modular multiplication. 

21. A method for carrying out a basic operation of a public 
key cryptosystem using modular calculations based on a 
redundant binary calculation scheme, including a modular 
multiplication axb mod c where a and b are dividends and 
c is a divisor, the steps of: 

(a) obtaining a first modular reduction a'=a mod c by: 

(aa) registering the dividend a and the divisor c in a first 
dividend register and a second divisor register, 
respectively; 

(ab) left shifting the divisor c in the first divisor register 
by (i-j) digits when a number of digits j of the 
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divisor c is less than a number of digits i thai can be 
stored in the first divisor register; and 
(ac) calculating the first modular reduction a'»a mod c 
up to (i-j)-th decimal place using the dividend a in 
the first dividend register and the divisor c in the first s 
divisor register as left shifted by the step (ab), to 
obtain a remainder as a modular reduction result; 

(b) obtaining a second modular reduction b'=b mod c by: 

(ba) registering the dividend b and the divisor c given 

in h-ary notation in a second dividend register and a 1( > 
second divisor register, respectively; 

(bb) left shifting the divisor c in the second divisor 
register by (m-n) digits when a number of digits n of 
the divisor c is less than a number of digits m that can 
be stored in the second divisor register; ^ 

(be) left shifting the b in the second register by (k-1) 
digits when a number of digits 1 of the dividend b is 
less than a number of digits k that can be stored in the 
dividend register, where k^m; 

(bd) calculating the second modular reduction a'-a mod 20 
c up to a digit of (k-l)-(m-n)-th power of h using the 
dividend b in the second dividend register as left 
shifted by the step (be) and the divisor c in the 
second divisor register as left shifted by the step (bb), 

to obtain a remainder; and 25 

(be) right shifting the remainder obtained by the step 
(bd) by (k-1) digits, to obtain a modular reduction 
result; 

(c) calculating a modular multiplication a'xb* mod c using 

a 1 obtained by the step (a) and b' obtained by the step 30 
(b), to obtain a modular multiplication result; and 

(d) carrying out the basic operation of the public key 
cryptosystem using the modular multiplication result 
obtained by the step (c). 35 

22. A device for carrying out modular calculations based 
on a redundant binary calculation scheme, including a 
modular reduction a mod c where a is a dividend and c is a 
divisor, comprising: 

a dividend register for registering the dividend a; &Q 

a divisor register for registering the divisor c; 

a shifting unit for left shifting the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be 
stored in the divisor register; and 45 

a calculation unit for calculating the modular reduction a 
mod c up to (i-j)-th decimal place using the dividend 
a in the dividend register and the divisor c in the divisor 
register as left shifted by the shifting unit, to obtain a 
remainder as a modular reduction result. so 

23. The device of claim 22, wherein the modular calcu- 
lations are defined for binary numbers, and the calculation 
unit calculates the modular reduction according to the redun- 
dant binary calculation scheme. 

24. The device of claim 22, wherein the modular calcu- ss 
lations also include a modular multiplication axb mod c 
where a and b are dividends and c is a divisor, and the 
calculation unit also calculates the modular multiplication 
by obtaining a first modular reduction result a'=a mod c, 
obtaining a second modular reduction result b'=b mod c, and 60 
calculating the modular multiplication a'xb' mod c to obtain 

a modular multiplication result. 

25. The device of claim 24, wherein the modular calcu- 
lations also include a modular exponentiation a* mod c 
where a is a dividend, x is an exponent and c is a divisor, and 65 
the calculation unit also calculates the modular exponentia- 
tion a* mod c by iterating the modular multiplication. 



26. The device of claim 25, wherein the modular expo- 
nentiation is used as a basic operation of a public key 
cryptosystem, which is to be carried out many times by said 
device, and said device further comprises: 

a calculation control unit for varying a delay time at a 
critical path due to transmission delay in said device, at 
each time of calculating the modular exponentiation. 

27. The device of claim 26, wherein the calculation 
control unit includes: 

an input unit for entering a delay information necessary 
for varying a calculation time of the modular exponen- 
tiation by said device; 

a determining unit for determining the delay time accord- 
ing to the delay information entered by the input unit; 
and 

a control unit for controlling the calculation unit to 
calculate the modular exponentiation according to the 
delay time determined by the determining unit, so as to 
vary the delay time at each time of calculating the 
modular exponentiation. 

28. The device of claim 27, wherein the input unit 
includes: 

an initial value input unit for generating an initial value 

necessary for generating a random number; and 
a random number generation unit for generating the 

random number from the initial value generated by the 

initial value input unit; 
wherein the determining unit determines the delay time 

from the random number generated by the random 

number generation unit. 

29. The device of claim 28, wherein the initial value input 
unit generates the initial value from any one or combination 
of a plurality of input values including an internally gener- 
ated input value, an externally entered input value, and a part 
or a whole of a previously obtained modular multiplication 
calculation result fed back from a previous iteration of the 
modular multiplication by the calculation unit. 

30. The device of claim 28, wherein the initial value input 
unit generates a new value for the initial value and the 
random number generation unit generates a new value for 
the random number during calculation of the modular expo- 
nentiation by the calculation unit, so that the determining 
unit determines a new value of the delay time during 
calculation of the modular exponentiation by the calculation 
unit, and the control unit controls the calculation unit 
according to the new value of the delay time determined by 
the determining unit, so as to vary the delay time during 
calculation of the modular exponentiation by the calculation 
unit. 

31. The device of claim 28, wherein the initial value input 
unit generates a new value for the initial value and the 
random number generation unit generates a new value for 
the random number at each time of iterating the modular 
multiplication by the calculation unit, so that the determin- 
ing unit determines a new value of the delay time at each 
time of iterating the modular multiplication by the calcula- 
tion unit, and the control unit controls each modular multi- 
plication by the calculation unit according to the new value 
of the delay time determined by the determining unit, so as 
to vary the delay time at each time of calculating the 
modular multiplication by the calculation unit. 

32. A device for carrying out modular calculations based 
on a redundant binary calculation scheme, including a 
modular reduction a mod c where a is a dividend given in 
h-ary notation and c is a divisor given in a h-ary notation, 
comprising: 
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a dividend register for registering the dividend a; 

a divisor register for registering the divisor c; 

a divisor shifting unit for left shifting the divisor c in the 
divisor register by (i-j) digits when a number of digits 
j of the divisor c is less than a number of digits i that 5 
can be stored in the divisor register, 

a dividend shifting unit for left shifting the dividend a in 
the dividend register by (k-1) digits when a number of 
digits 1 of the dividend a is less than a number of digits 
k that can be stored in the dividend register, where k^i; 10 

a calculation unit for calculating the modular reduction a 
mod c up to a digit of (k-l)-(i-j)-th power of h using 
the dividend a in the dividend register as left shifted by 
the dividend shifting unit and the divisor c in the divisor 
register as left shifted by the divisor shifting unit, to 15 
obtain a remainder; and 

a remainder shifting unit for right shifting the remainder 
obtained by the calculation unit by (k-1) digits, to 
obtain a modular reduction result 

33. The device of claim 32, wherein the modular calcu- 20 
lations are defined for binary numbers, and the calculation 
unit calculates the modular reduction according to the redun- 
dant binary calculation scheme. 

34. The device of claim 32, wherein the modular calcu- 
lations also include a modular multiplication axb mod c 25 
where a and b are dividends and c is a divisor, and the 
calculation unit also calculates the modular multiplication 
by obtaining a first modular reduction result a'-a mod c, 
obtaining a second modular reduction result b'-b mod c, and 
calculating the modular multiplication a'xb' mod c to obtain 30 
a modular multiplication result. 

35. The device of claim 34, wherein the modular calcu- 
lations also include a modular exponentiation a* mod c 
where a is a dividend, x is an exponent and c is a divisor, and 
the calculation unit also calculates the modular exponentia- 35 
tion a* mod c by iterating the modular multiplication. 

36. The device of claim 35, wherein the modular expo- 
nentiation is used as a basic operation of a public key 
cryptosystem, which is to be carried out many times by said 
device, and said device further comprises: 40 

a calculation control unit for varying a delay time at a 
critical path due to transmission delay in said device, at 
each time of calculating the modular exponentiation. 

37. The device of claim 36, wherein the calculation 
control unit includes: 

an input unit for entering a delay information necessary 
for varying a calculation time of the modular exponen- 
tiation by said device; 

a determining unit for determining the delay time accord- 50 
ing to the delay information entered by the input unit; 
and 

a control unit for controlling the calculation unit to 
calculate the modular exponentiation according to the 
delay time determined by the determining unit, so as to 5S 
vary the delay time at each time of calculating the 
modular exponentiation. 

38. The device of claim 37, wherein the input unit 
includes: 

an initial value input unit for generating an initial value 60 

necessary for generating a random number; and 
a random number generation unit for generating the 

random number from the initial value generated by the 

initial value input unit; 
wherein the determining unit determines the delay time 65 

from the random number generated by the random 

number generation unit. 
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39. The device of claim 38, wherein the initial value input 
unit generates the initial value from any one or combination 
of a plurality of input values including an internally gener- 
ated input value, an externally entered input value, and a part 
or a whole of a previously obtained modular multiplication 
calculation result fed back from a previous iteration of the 
modular multiplication by the calculation unit. 

40. The device of claim 38, wherein the initial value input 
unit generates a new value for the initial value and the 
random number generation unit generates a new value for 
the random number during calculation of the modular expo- 
nentiation by the calculation unit, so that the determining 
unit determines a new value of the delay time during 
calculation of the modular exponentiation by the calculation 
unit, and the control unit controls the calculation unit 
according to the new value of the delay time determined by 
the determining unit, so as to vary the delay lime during 
calculation of the modular exponentiation by the calculation 
unit. 

41. The device of claim 38, wherein the initial value input 
unit generates a new value for the initial value and the 
random number generation unit generates a new value for 
the random number at each time of iterating the modular 
multiplication by the calculation unit, so that the determin- 
ing unit determines a new value of the delay time at each 
time of iterating the modular multiplication by the calcula- 
tion unit, and the control unit controls each modular multi- 
plication by the calculation unit according to the new value 
of the delay time determined by the determining unit, so as 
to vary the delay time at each time of calculating the 
modular multiplication by the calculation unit. 

42. A device for carrying out modular calculations based 
on a redundant binary calculation scheme, including a a 
modular multiplication axb mod c where a and b are 
dividends and c is a divisor, comprising: 

a first modular reduction calculation unit including: 

a first dividend register for registering the dividend a; 

a first divisor register for registering the divisor c; 

a shifting unit for left shifting the divisor c in the first 
divisor register by (i-j) digits when a number of 
digits j of the divisor c is less than a number of digits 
i that can be stored in the first divisor register; and 

a first calculation unit for calculating a first modular 
reduction a'=a mod c up to (i-j)-th decimal place 
using the dividend a in the first dividend register and 
the divisor c in the first divisor register as left shifted 
by the shifting unit, to obtain a remainder as a 
modular reduction result; 
a second modular reduction calculation unit including: 

a second dividend register for registering the dividend 
b given in h-ary notation; 

a second divisor register for registering the divisor c 
given in h-ary notation; 

a divisor shifting unit for left shifting the divisor c in 
the second divisor register by (m-n) digits when a 
number of digits n of the divisor c is less than a 
number of digits m that can be stored in the second 
divisor register; 

a dividend shifting unit for left shifting the dividend b 
in the second dividend register by (k-1) digits when 
a number of digits 1 of the dividend b is less than a 
number of digits k that can be stored in the second 
dividend register, where kSm; 

a second calculation unit for calculating a second 
modular reduction b'-b mod c up to a digit of 
(k-l)-(m-n)-th power of h using the dividend b in 
the second dividend register as left shifted by the 
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dividend shifting unit and the divisor c in the second 
divisor register as left shifted by the divisor shifting 
unit, to obtain a remainder; and 

a remainder shifting unit for right shifting the remain- 
der obtained by the second calculation unit by (k-1) 
digits, to obtain a modular reduction result; and 
a modular multiplication calculation unit for calculating a 

modular multiplication a'xb' mod c to obtain a modular 

multiplication result. 

43. An article of manufacture, comprising: 
a computer usable medium having computer readable 

program code means embodied therein for causing a 
computer to function as a system for carrying out 
modular calculations based on a redundant binary cal- 
culation scheme, including a modular reduction a mod 
c where a is a dividend and c is a divisor, the computer 
readable program code means including: 
first computer readable program code means for causing 
said computer to register the dividend a and the divisor 
c in a dividend register and a divisor register, respec- 
tively; 

second computer readable program code means for caus- 
ing said computer to left shift the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be ^ 
stored in the divisor register; and 

third computer readable program code means for causing 
said computer to calculate the modular reduction a mod 
cup to (i-j)-th decimal place using the dividend a in the 
dividend register and the divisor c in the divisor register 
as left shifted by the second computer readable pro- 
gram code means, to obtain a remainder as a modular 
reduction result. 

44. The article of manufacture of claim 43, wherein the 
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for varying a calculation time of the modular exponen- 
tiation by said system; 

sixth computer readable program code means for causing 
said computer to determine the delay time according to 
the delay information entered by the fifth computer 
readable program code means; and 

seventh computer readable program code means for caus- 
ing said computer to control the third computer read- 
able program code means to calculate the modular 
exponentiation according to the delay time determined 
by the sixth computer readable program code means, so 
as to vary the delay time at each time of calculating the 
modular exponentiation. 

49. The article of manufacture of claim 4S t wherein the 
fifth computer readable program code means further 
includes: 

eighth computer readable program code means for caus- 
ing said computer to generate an initial value necessary 
for generating a random number; and 

ninth computer readable program code means for causing 
said computer to generate the random number from the 
initial value generated by the eighth computer readable 
program code means; 

wherein the sixth computer readable program code means 
determines the delay lime from the random number 
generated by the ninth computer readable program code 
means. 

50. The article of manufacture of claim 49, wherein the 
eighth computer readable program code means generates the 
initial value from any one or combination of a plurality of 
input values including an internally generated input value, 
an externally entered input value, and a part or a whole of 
a previously obtained modular multiplication calculation 
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third computer readable program code means calculates the 
modular reduction according to the redundant binary calcu- 
lation scheme. 

45. The article of manufacture of claim 43, wherein the 
modular calculations also include a modular multiplication 40 
axb mod c where a and b are dividends and c is a divisor, and 
the third computer readable program code means also cal- 
culates the modular multiplication by obtaining a first modu- 
lar reduction result a' -a mod c, obtaining a second modular 
reduction result b'ob mod c, and calculating the modular 45 
multiplication a'xb' mod c to obtain a modular multiplication 
result. 

46. The article of manufacture of claim 45, wherein the 
modular calculations also include a modular exponentiation 
a* mod c where a is a dividend, x is an exponent and c is a 
divisor, and the third computer readable program code 
means also calculates the modular exponentiation a* mod c 
by iterating the modular multiplication. 

47. The article of manufacture of claim 46, wherein the 
modular exponentiation is used as a basic operation of a 
public key cryptosystem, which is to be carried out many 
times by said system, and the computer readable program 
code means further includes: 

fourth computer readable program code means for caus- 
ing said computer to vary a delay time at a critical path 60 
due to transmission delay in said system, at each time 
of calculating the modular exponentiation. 

48. The article of manufacture of claim 47, wherein the 
fourth computer readable program code means further 
includes: 65 

fifth computer readable program code means for causing 
said computer to enter a delay information necessary 
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multiplication by the third computer readable program code 
means. 

51. The article of manufacture of claim 49, wherein the 
eighth computer readable program code means generates a 
new value for the initial value and the ninth computer 
readable program code means generates a new value for the 
random number during calculation of the modular exponen- 
tiation by the third computer readable program code means, 
so that the sixth computer readable program code means 
determines a new value of the delay time during calculation 
of the modular exponentiation by the third computer read- 
able program code means, and the seventh computer read- 
able program code means controls the third computer read- 
able program code means according to the new value of the 
delay time determined by the sixth computer readable pro- 
gram code means, so as to vary the delay time during 
calculation of the modular exponentiation by the third 
computer readable program code means. 

52. The article of manufacture of claim 49, wherein the 
eighth computer readable program code means generates a 
new value for the initial value and the ninth computer 
readable program code means generates a new value for the 
random number at each time of iterating the modular mul- 
tiplication by the third computer readable program code 
means, so that the sixth computer readable program code 
means determines a new value of the delay time at each time 
of iterating the modular multiplication by the third computer 
readable program code means, and the seventh computer 
readable program code means controls each modular mul- 
tiplication by the third computer readable program code 
means according to the new value of the delay time deter- 
mined by the sixth computer readable program code means, 
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so as to vary the delay time at each time of calculating the 
modular multiplication by the third computer readable pro- 
gram code means. 

53. An article of manufacture, comprising: 

a computer usable medium having computer readable s 
program code means embodied therein for causing a 
computer to function as a system for carrying out 
modular calculations based on a redundant binary cal- 
culation scheme, including a modular reduction a mod 
c where a is a dividend given in h-ary notation and c is 10 
a divisor given in h-ary notation, the computer readable 
program code means including: 

first computer readable program code means for causing 
said computer to register the dividend a and the divisor 
c in a dividend register and a divisor register, respec- ^ 
tively; 

second computer readable program code means for caus- 
ing said computer to left shift the divisor c in the divisor 
register by (i-j) digits when a number of digits j of the 
divisor c is less than a number of digits i that can be 2Q 
stored in the divisor register; 

third computer readable program code means for causing 
said computer to left shift the dividend a in the dividend 
register by (k-1) digits when a number of digits 1 of the 
dividend a is less than a number of digits k that can be ^ 
stored in the dividend register, where k^i; 

fourth computer readable program code means for caus- 
ing said computer to calculate the modular reduction a 
mod c up to a digit of (k-l)-(i-j)-th power of h using 
the dividend a in the dividend register as left shifted by 30 
the third computer readable program code means and 
the divisor c in the divisor register as left shifted by the 
second computer readable program code means, to 
obtain a remainder; and 

fifth computer readable program code means for causing 35 
said computer to right shift the remainder obtained by 
the fourth computer readable program code means by 
(k-1) digits, to obtain a modular reduction result. 

54. The article of manufacture of claim 53, wherein the 
modular calculations arc defined for binary numbers, and the 40 
fourth computer readable program code means calculates the 
modular reduction according to the redundant binary calcu- 
lation scheme. 

55. The article of manufacture of claim 53, wherein the 
modular calculations also include a modular multiplication 45 
axb mod c where a and b are dividends and c is a divisor, and 
the fourth computer readable program code means also 
calculates the modular multiplication by obtaining a first 
modular reduction result a'-a mod c, obtaining a second 
modular reduction result b'»b mod c, and calculating the so 
modular multiplication a'xb' mod c to obtain a modular 
multiplication result. 

56. The article of manufacture of claim 55, wherein the 
modular calculations also include a modular exponentiation 

a* mod c where a is a dividend, x is an exponent and c is a 55 
divisor, and the fourth computer readable program code 
means also calculates the modular exponentiation a* mod c 
by iterating the modular multiplication. 

57. The article of manufacture of claim 56, wherein the 
modular exponentiation is used as a basic operation of a 60 
public key cryptosystem, which is to be carried out many 
times by said system, and the computer readable program 
code means further includes: 

sixth computer readable program code means for causing 
said computer to vary a delay time at a critical path due 65 
to transmission delay in said system, at each time of 
calculating the modular exponentiation. 
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58. The article of manufacture of claim 57, wherein the 
sixth computer readable program code means further 
includes: 

seventh computer readable program code means for caus- 
ing said computer to enter a delay information neces- 
sary for varying a calculation time of the modular 
exponentiation by said system; 

eighth computer readable program code means for caus- 
ing said computer to determine the delay time accord- 
ing to the delay information entered by the seventh 
computer readable program code means; and 

ninth computer readable program code means for causing 
said computer to control the fourth computer readable 
program code means to calculate the modular expo- 
nentiation according to the delay time determined by 
the eighth computer readable program code means, so 
as to vary the delay time at each time of calculating the 
modular exponentiation. 

59. The article of manufacture of claim 58, wherein the 
seventh computer readable program code means further 
includes: 

tenth computer readable program code means for causing 
said computer to generate an initial value necessary for 
generating a random number; and 

eleventh computer readable program code means for 
causing said computer to generate the random number 
from the initial value generated by the tenth computer 
readable program code means; 

wherein the eighth computer readable program code 
means determines the delay time from the random 
number generated by the eleventh computer readable 
program code means. 

60. The article of manufacture of claim 59, wherein the 
tenth computer readable program code means generates the 
initial value from any one or combination of a plurality of 
input values including an internally generated input value, 
an externally entered input value, and a part or a whole of 
a previously obtained modular multiplication calculation 
result fed back from a previous iteration of the modular 
multiplication by the fourth computer readable program 
code means. 

61. The article of manufacture of claim 59, wherein the 
tenth computer readable program code means generates a 
new value for the initial value and the eleventh computer 
readable program code meaas generates a new value for the 
random number during calculation of the modular exponen- 
tiation by the fourth computer readable program code 
means, so that the eighth computer readable program code 
means determines a new value of the delay lime during 
calculation of the modular exponentiation by the fourth 
computer readable program code means, and the ninth 
computer readable program code means controls the fourth 
computer readable program code means according to the 
new value of the delay time determined by the eighth 
computer readable program code means, so as to vary the 
delay time during calculation of the modular exponentiation 
by the fourth computer readable program code means. 

62. The article of manufacture of claim 59, wherein the 
tenth computer readable program code means generates a 
new value for the initial value and the eleventh computer 
readable program code means generates a new value for the 
random number at each time of iterating the modular mul- 
tiplication by the fourth computer readable program code 
means, so that the eighth computer readable program code 
means determines a new value of the delay time al each time 
of iterating the modular multiplication by the fourth com- 
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puter readable program code means, and the moth computer 
readable program code means controls each modular mul- 
tiplication by the fourth computer readable program code 
means according to the new value of the delay time deter- 
mined by the eighth computer readable program code s 
means, so as to vary the delay time at each time of calcu- 
lating the modular multiplication by the fourth computer 
readable program code means. 

63. An article of manufacture, comprising: 
a computer usable medium having computer readable 10 
program code means embodied therein for causing a 
computer to function as a system for carrying out 
modular calculations based on a redundant binary cal- 
culation scheme, including a modular multiplication 
axb mod c where a and b are dividends and c is a 15 
divisor, the computer readable program code means 
including: 

a first computer readable program code means for causing 
said computer to obtain a first modular reduction a'«a 
mod c by: registering the dividend a and the divisor c 20 
in a first dividend register and a first divisor register, 
respectively; left shifting the divisor c in the first 
divisor register by (i-j) digits when a number of digits 
j of the divisor c is less than a number of digits i that 
can be stored in the first divisor register; and calculat- 25 
ing a first modular reduction a mod c up to (i-j)-tb 
decimal place using the dividend a in the first dividend 
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register and the divisor c in the first divisor register as 
left shifted, to obtain a remainder as a modular reduc- 
tion result; 

a second computer readable program code means for 
causing said computer to obtain a second modular 
reduction by: registering the dividend b and the divisor 
c given in h-ary notation in a second dividend register 
and a second divisor register, respectively; left shifting 
the divisor c in the second divisor register by (m-n) 
digits when a number of digits n of the divisor c is less 
than a number of digits m that can be stored in the 
second divisor register; left shifting the dividend b in 
the second dividend register by (k-l) digits when a 
number of digits 1 of the dividend a is less than a 
number of digits k that can be stored in the second 
dividend register, where k^m; calculating a second 
modular reduction b'=b mod c up to a digit of (k-1)- 
(m-n)-th power of h using the dividend b in the second 
dividend register as left shifted and the divisor c in the 
second divisor register as left shifted, to obtain a 
remainder; and right shifting the remainder by (k-l) 
digits, to obtain a modular reduction result; and 

a third computer readable program code means for caus- 
ing said computer to calculate a modular multiplication 
a'xb' mod c to obtain a modular multiplication result. 

***** 
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